Practical Technology

for practical people.

We’re a long, long way from securing the Web with SSL/TLS


Firesheep can certainly be mis-used as a hacking tool. It was meant, however, to serve up as a wake-up call to everyone that Web site managers were doing a lousy job of securing their Web sites. How has that worked out? Not well at all as far as I can tell.

I, and lots of other people, have written lots of stories about what you can do to protect yourself from Firesheep; how to keep your Wi-Fi connection safer; and what Web site administrators need to do to secure their sites. So, I’m sure some people at least are trying to practice safe Interneting. But, what about the Web hosting companies and the major Web sites? Eh, not so much.

Over at the official Firesheep Google group, there’s a whole 143 messages, and most of them are technical support style questions. I don’t see a single message about how would someone go about securing their Web server. Mind you, there’s no rocket-science to how to start using Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS). But, you’d think someone would ask. They haven’t.

Far more telling is AccessNow’s analysis of the top 100 Web sites. According to AccessNow, a group devoted to the belief that the realization of human rights and democracy in the twenty-first century depends on Internet access, only 99 of the 100 most popular Web sites currently use TLS/SSL correctly.

More >

Leave a Reply